Bug 33098 - request body with C-L but early EOF does not error
request body with C-L but early EOF does not error
Status: RESOLVED FIXED
Product: Apache httpd-2
Classification: Unclassified
Component: Core
2.0-HEAD
PC Linux
: P2 normal (vote)
: ---
Assigned To: Apache HTTPD Bugs Mailing List
: FixedInTrunk, PatchAvailable
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2005-01-14 14:33 UTC by Joe Orton
Modified: 2009-10-20 07:39 UTC (History)
1 user (show)



Attachments
fix to return an errror when EOS is seen in an incomplete body in ap_http_filter() (1.15 KB, patch)
2009-07-07 15:20 UTC, Stefan Fritsch
Details | Diff
updated fix (947 bytes, patch)
2009-07-08 13:39 UTC, Stefan Fritsch
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Joe Orton 2005-01-14 14:33:36 UTC
Tony Bennett reported to dav-dev that mod_dav does not notice if you send a
request body with a "C-L: X" header but send EOF before sending X bytes of
request body; probably this needs to be caught somewhere above mod_dav.
Comment 1 Dan Poirier 2009-05-22 08:21:59 UTC
Seems like an issue in core rather than mod_dav.
Comment 2 Stefan Fritsch 2009-06-04 11:38:30 UTC
I have a report that mod_dav occasionally deletes files after an unsuccessful upload. See
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=525137

There is the error message "Could not get next bucket brigade [500, #0]" in the error log. Could this be the same issue?
Comment 3 Stefan Fritsch 2009-07-07 12:16:17 UTC
The Debian bug is a different issue.
Comment 4 Stefan Fritsch 2009-07-07 12:20:48 UTC
It would be possible to fix this in mod_dav by counting the bytes received and comparing with the number in the C-L header. If there is some encoding like chunked or gzip, the C-L will already have been removed, so no problem there.

Or should the core / some input filter do the counting and return an error when mod_dav tries to read the missing data?
Comment 5 Ruediger Pluem 2009-07-07 12:32:34 UTC
Doesn't mod_dav get an error message (at least a timeout error) if it tries to read from the input filter chain and no more data is present?
Comment 6 Stefan Fritsch 2009-07-07 12:45:39 UTC
mod_dav just reads until it sees an EOS bucket.

It ignores all metadata buckets. Is there some error bucket when the post body is too short that mod_dav could use to detect the error?
Comment 7 Ruediger Pluem 2009-07-07 13:38:24 UTC
(In reply to comment #6)
> mod_dav just reads until it sees an EOS bucket.
> 
> It ignores all metadata buckets. Is there some error bucket when the post body
> is too short that mod_dav could use to detect the error?

No, but if not all content was sent it shouldn't see an EOS bucket. Instead if the content is not sent completely ap_get_brigade should return an error (most likely a timeout).
And in fact it does (see line 978 of mod_dav.c on trunk).
And ap_xml_parse_input does as well.
Comment 8 Stefan Fritsch 2009-07-07 13:48:48 UTC
(In reply to comment #7)
> No, but if not all content was sent it shouldn't see an EOS bucket. Instead if
> the content is not sent completely ap_get_brigade should return an error (most
> likely a timeout).

ok, then the bug is in the input filter.

I was under the (wrong) impression that this bug only appears if C-L is given. But it also appears with chunked encoding if the first chunk is transferred completely and the body is truncated later.
Comment 9 Stefan Fritsch 2009-07-07 15:20:34 UTC
Created attachment 23936 [details]
fix to return an errror when EOS is seen in an incomplete body in ap_http_filter()

this seems to fix the issue (haven't done much testing, though)
Comment 10 Ruediger Pluem 2009-07-08 00:17:45 UTC
(In reply to comment #9)
> Created an attachment (id=23936) [details]
> fix to return an errror when EOS is seen in an incomplete body in
> ap_http_filter()
> 
> this seems to fix the issue (haven't done much testing, though)

Basicly looks good. IMHO it is safe to assume that if there is an EOS bucket in the brigade then it is the last bucket. Thus you can safe the loop and just check if the last bucket is an EOS bucket.
Comment 11 Stefan Fritsch 2009-07-08 13:39:36 UTC
Created attachment 23944 [details]
updated fix

Thanks. It works without the loop, too.
Comment 12 Ruediger Pluem 2009-07-08 23:30:00 UTC
Committed to trunk a r792409.
Comment 13 Dan Poirier 2009-10-20 07:39:09 UTC
Backported to 2.2.x.  Should be in the next 2.2 release after 2.2.14.